Shulou(Shulou.com)05/31 Report--

Today I will show you what dynamic P2P-GRE based on IPsec is like. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

R1 (config) # int f0bin0

R1 (config-if) # ip add 12.1.1.1 255.255.255.0

R1 (config-if) # no sh

R1 (config-if) # exit

R1 (config) # int f0bin1

R1 (config-if) # ip add 10.1.1.1 255.255.255.0

R1 (config-if) # no sh

R1 (config-if) # exit

R1 (config) # ip route 0.0.0.0 0.0.0.0 12.1.1.2

R3 (config) # int f0Let0

R3 (config-if) # ip add 192.168.1.3 255.255.255.0

R3 (config-if) # no sh

R3 (config-if) # exit

R3 (config) # int f0swap 1

R3 (config-if) # ip address dhcp

R3 (config-if) # no sh

R3 (config-if) # exit

R3 (config) # int loopback 0

R3 (config-if) # ip add 3.3.3.3 255.255.255.255

R3 (config-if) # exit

Description: enable DHCP to dynamically obtain the address on the interface F0max 1 of R3 and Internet, so the number of IP address on F0max 1 is not known in advance, and create a Loopback 0 (address 3.3.3.3Unix32) as the source address of the local P2P GRE tunnel.

(1) configure a P2P GRE tunnel on R1 that ends with R3:

R1 (config) # interface tunnel 1

R1 (config-if) # ip address 1.1.1.1 255.255.255.0

R1 (config-if) # tunnel source 12.1.1.1

R1 (config-if) # tunnel destination 3.3.3.3

R1 (config-if) # exit

R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2

Note: the P2P GRE tunnel interface number from R1 to R3 is 1, the tunnel address is 1.1.1.1, the source point of the tunnel is the external network interface address 12.1.1.1, and the Loopback 0 interface address of R3 is 3.3.3.3. Although the tunnel destination address is not routable on Internet, a static route must be written to point 3.3.3.332 to its own Internet exit, because this is the configuration rule.

R3 (config) # int tunnel 3

R3 (config-if) # ip address 1.1.1.3 255.255.255.0

R3 (config-if) # tunnel source loopback 0

R3 (config-if) # tunnel destination 12.1.1.1

R3 (config-if) # exit

Note: the P2P GRE tunnel interface number from R3 to R1 is 3, the tunnel address is 1.1.1.3, the source point of the tunnel is Loopback 0 interface address 3.3.3.3, and the end point of the tunnel is R1's external network interface address 12.1.1.1.

R1 (config) # crypto isakmp policy 1

R1 (config-isakmp) # encryption 3des

R1 (config-isakmp) # hash sha

R1 (config-isakmp) # authentication pre-share

R1 (config-isakmp) # group 2

R1 (config-isakmp) # exit

R1 (config) # crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0

R1 (config) # crypto ipsec transform-set ccie esp-3des esp-sha-hmac

R1 (cfg-crypto-trans) # exit

R1 (config) # crypto dynamic-map ddd 10

R1 (config-crypto-map) # set transform-set ccie

R1 (config-crypto-map) # exit

R1 (config) # crypto map mymap 10 ipsec-isakmp dynamic ddd

R1 (config) # crypto map mymap local-address fastEthernet 0Universe 0

R1 (config) #

R1 (config) # int f0bin0

R1 (config-if) # crypto map mymap

R1 (config-if) # exit

* Mar 1 00 ISAKMP is ON 32 44.307:% CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1 (config) #

Note: the configuration of R1 on the static IP side is slightly different from that of Dynamic LAN-to-LAN × × × because the IOS version used in this experimental environment is higher than 12.2 (13) T, so Crypto map can only be applied under the physical interface, not under the GRE tunnel interface.

R3 (config) # crypto isakmp policy 1

R3 (config-isakmp) # encryption 3des

R3 (config-isakmp) # hash sha

R3 (config-isakmp) # authentication pre-share

R3 (config-isakmp) # group 2

R3 (config-isakmp) # exit

R3 (config) # crypto isakmp key 0 cisco123 address 12.1.1.1

R3 (config) # crypto ipsec transform-set ccie esp-3des esp-sha-hmac

R3 (cfg-crypto-trans) # exit

R3 (config) # access-list 100 permit gre host 3.3.3.3 host 12.1.1.1 R3 (config) #

R3 (config) # crypto map L2l 1 ipsec-isakmp

R3 (config-crypto-map) # set peer 12.1.1.1

R3 (config-crypto-map) # set transform-set ccie

R3 (config-crypto-map) # match address 100

R3 (config-crypto-map) # exit

R3 (config) # crypto map L21 local-address f0Universe 1

R3 (config) # int f0swap 1

R3 (config-if) # crypto map L2l

R3 (config-if) #

* Mar 1 00 ISAKMP is ON 32 ISAKMP is ON 58. 907:% CRYPTO-6-ISAKMP_ON_OFF:

R3 (config-if) #

Note: the slight difference between dynamic IP side R3 and configuration and ordinary LAN-to-LAN × × is that there is such a command "crypto map L2l local-address f0UniMax 1". Because the IOS version used in this experimental environment is higher than 12.2 (13) T, Crypto map can only be applied under the physical interface, not under the GRE tunnel interface.

Note: no matter how the traffic is sent, the ISAKMP SA cannot be established, because in the Dynamic P2P GRE over IPsec environment, you must first send data from the dynamic IP to the static IP party, otherwise the GRE tunnel cannot be established and × × cannot be completed.

Configure dynamic routing protocol

This is what the dynamic P2P-GRE based on IPsec is all about, and more content related to the dynamic P2P-GRE based on IPsec can be searched for previous articles or browse the following articles to learn! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.